Hi folks. I’m curious to see if anyone has managed to setup an Azure hosted static website (either Static Web Apps or storage + CDN) working with Cloudflare DNS and Full (Strict) SSL? Primarily interested in how to do the encryption part between Cloudflare and Azure.
We have a static website hosted on Azure, setup a few years back using a storage account and CDN. Currently the CNAME points to the Azure CDN endpoint and Azure automatically manages the certificate renewal for the custom domain.
For the rest of our websites and apps, which are primarily on-prem we have a Cloudflare account which is configured with Full (Strict) SSL and they are all secured E2E. Traffic routed via Cloudflare has resulted in plenty of security and performance gains and ideally it would be nice to do similar with the static website as well.
From what I’ve seen, Azure static websites requires the CNAME to point at the CDN endpoint in order to automatically manage and renew the certificate so pointing CNAME → Cloudflare → Azure would break this and mean we’d have to manage renewals. For a bring your own cert on Azure CDN it only allows managing it through Azure Key Vault now. I imported a CF Origin cert as a pkc12/pfx (including the CF ca cert) but Azure doesn’t seem willing to let me use that for the custom domain and it fails with “Failed to update custom domain properties.The secret contains an unsupported content type.The content type needs to be application/x-pkcs12.” - I can download it as CER and it’s fine, I’m guessing the issue is because Azure hasn’t trusted the CA.
Anywho, at a bit of a loss now and just curious if anyone else has managed it?
Are you sure you converted the certificate correctly?
There seem to be a lot of people using Origin certificates on Azure without problems.
This shouldn’t be included.
Are you using a Full setup or a CNAME setup for Cloudflare?
Generally, the default settings of the Cloudflare proxy are not compatible with ACME HTTP challenges, but this can be remedied by using a Configuration Rule to disable most Cloudflare features on the challenge path.
This was the command used to create the pfx…
openssl pkcs12 -export -out domain_out_file.pfx -inkey domain_private.key -in domain_public.crt -certfile Cloudflare_Origin_CA_Root.crt
If I download the imported certificate from Azure it all looks fine. I also tried without -certfile Cloudflare_Origin_CA_Root.crt but it had the same error. I believe (though I may be wrong) that Azure will need to trust the CF Origin CA certificate as well as the origin certificate generated for our domain, thus I decided to include it.
We use a CNAME setup as there is some DNS that we specifically don’t want proxied through Cloudflare.
With regards to the linked document (and all the successful walkthroughs I had seen), it uses Azure App Services rather than Azure Static Web Apps or Azure Storage Account + CDN. With Azure App Services it all seems to just work easily. Azure App Services would be too costly for the purpose of this web app however perhaps it all just working is what you pay for
The client needs to trust the certificate supplied by the server, and for that it already needs the root ca in it’s trust store. Sending the root ca is only done for compatibility when it is cross-signed by another root ca.
There is no reason the server would need to trust it’s own certificate, though it is not unheard of that some hosts prevent user from using untrusted certificates.
I’m not the biggest fan of Microsoft, but they tend to have competent engineers and I refuse to believe that they would do something so illogical and then display a completely unrelated error message.
I actually had a similar problem with an application a few months back:
The application required its certificate in .pfx as well, and I received very confusing errors when trying to import the certificate. It turned out that the application required the certificate to use Windows line breaks, even though it was running on a linux platform. Maybe this is the same issue?
I tried again with pfx without -certfile Cloudflare_Origin_CA_Root.crt to remind myself of the error in that scenario. When trying to se that, you get 'Exception of type ‘Microsoft.Azure.Cdn.Common.ProviderPluginContracts.ProviderException’ which a bit of googling around suggests one of these issues
The TLS certificate created is not a complete certificate chain with leaf and intermediate certificates.
The root CA is not a part of the Microsoft Trusted CA List.
In this case I reckon it’s probably likely option 2. Microsoft’s docs have a line…
“When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed certificate authority (CA) that is part of the Microsoft Trusted CA List. If you use a non-allowed CA, your request will be rejected.”
Cloudflare isn’t on that list, which is unfortunate but I guess it is what it is.
I did a quick bit of testing with Azure Static Web Apps to see if that provided any alternative options and in fact that seems even more restrictive. With that you have to use an Azure managed certificate unless you add Azure Front Door as well which is what I already have in place.